Description

These functions provide various interfaces to the LDAP bind operation. After a
connection is made to an LDAP server, the ldap_bind() function returns the
message ID of the request initiated. The ldap_bind_s() function returns an LDAP
error code.

Simple Authentication

The simplest form of the bind call is ldap_simple_bind_s(). The function takes
the DN (Distinguished Name) of the dn parameter and the userPassword associated
with the entry in passwd to return an LDAP error code. See ldap_error(3LDAP).

The ldap_simple_bind() call is asynchronous. The function takes the same parameters as
ldap_simple_bind_s() but initiates the bind operation and returns the message ID of
the request sent. The result of the operation can be obtained by
a subsequent call to ldap_result(3LDAP).

General Authentication

The ldap_bind() and ldap_bind_s() functions are used to select the authentication method
at runtime. Both functions take an extra method parameter to set the
authentication method. For simple authentication, the method parameter is set to LDAP_AUTH_SIMPLE.
The ldap_bind() function returns the message id of the request initiated. The
ldap_bind_s() function returns an LDAP error code.

SASL Authentication

The ldap_sasl_bind() and ldap_sasl_bind_s() functions are used for general and extensible authentication
over LDAP through the use of the Simple Authentication Security Layer. The
routines both take the DN to bind as the authentication method. A dotted-string
representation of an OID identifies the method, and the berval structure holds
the credentials. The special constant value LDAP_SASL_SIMPLE (“ ”) can be passed
to request simple authentication. Otherwise, the ldap_simple_bind() function or the ldap_simple_bind_s() function
can be used.

The ldap_sasl_interactive_bind_s() helper function takes its data and performs the necessary ldap_sasl_bind()
and associated SASL library authentication sequencing with the LDAP server that uses
the provided connection (ld).

Upon a successful bind, the ldap_sasl_bind() function will, if negotiated by the
SASL interface, install the necessary internal libldap plumbing to enable SASL integrity
and privacy (over the wire encryption) with the LDAP server.

The LDAP_SASL_INTERACTIVE option flag is passed to the libldap API through the
flags argument of the API. The flag tells the API to use
the SASL interactive mode and to have the API request SASL authentication
data through the LDAP_SASL_INTERACTIVE_PROC callback as needed. The callback provided is in the
form:

The user-provided SASL callback is passed to the current LDAP connection pointer,
the current flags field, an optional pointer to user-defined data, and the
list of sasl_interact_t authentication values requested by libsasl(3LIB) to complete authentication.

The user-defined callback collects and returns the authentication information in the sasl_interact_t
array according to libsasl rules. The authentication information can include user IDs,
passwords, realms, or other information defined by SASL. The SASL library uses this
date during sequencing to complete authentication.

Unbinding

The ldap_unbind() call is used to unbind from a directory, to terminate
the current association, and to free the resources contained in the ld
structure. Once the function is called, the connection to the LDAP server
is closed and the ld structure is invalid. The ldap_unbind_s() and ldap_unbind() calls
are identical and synchronous in nature.

The ldap_unbind_ext() function is used to unbind from a directory, to terminate
the current association, and to free the resources contained in the LDAP
structure. Unlike ldap_unbind() and ldap_unbind_s(), both server and client controls can be explicitly
included with ldap_unbind_ext() requests. No server response is made to an unbind
request and responses should not be expected from server controls included with
unbind requests.

Rebinding While Following Referral

The ldap_set_rebind_proc() call is used to set a function called back to
obtain bind credentials. The credentials are used when a new server is
contacted after an LDAP referral. If ldap_set_rebind_proc() is never called, or if
it is called with a NULLrebindproc parameter, an unauthenticated simple LDAP
bind is always done when chasing referrals.

The LDAP library first calls the rebindproc() to obtain the referral bind
credentials. The freeit parameter is zero. The whop, credp, and methodp parameters
should be set as appropriate. If rebindproc() returns LDAP_SUCCESS, referral processing continues. The
rebindproc() is called a second time with a non-zero freeit value to
give the application a chance to free any memory allocated in the previous
call.

If anything but LDAP_SUCCESS is returned by the first call to rebindproc(),
referral processing is stopped and the error code is returned for the
original LDAP operation.